Method and arrangement for managing security reconfiguration in a
cellular communication system

ABSTRACT

Methods are discussed of managing security reconfiguration and cell update procedures in a user equipment and in a node in a cellular communication system and a user equipment and a node in the cellular communication system. Methods in the user equipment may include detecting a cell update trigger event, and aborting any ongoing security reconfiguration procedure in the user equipment in response to the detected cell update trigger event. Subsequently, a security status indication in response to the aborted security reconfiguration may be provided, and a cell update message and the provided security status indication may be jointly transmitted to a node.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.13/518,919, filed on Jul. 17, 2012, which is a 35 U.S.C. §371 nationalstage application of PCT International Application No.PCT/EP2010/058294, filed on 14 Jun. 2010, which itself claims priorityto U.S. Provisional Patent Application No. 61/298,934, filed 28 Jan.2010, the disclosures and contents of all of which are incorporated byreference herein in their entireties. The above-referenced PCTInternational Application was published in the English language asInternational Publication No. WO 2011/091865 A1 on 4 Aug. 2011.

TECHNICAL FIELD

The present invention relates to telecommunication systems in generaland specifically to management of security reconfigurations in suchsystems.

BACKGROUND

For all telecommunication systems, there is a variety of reconfigurationprocedures present. These procedures can be divided into two maingroups, based on the nature of the parameters to be reconfigured, namelysoft and physical reconfigurations. Physical reconfigurations deal withreconfigurations of a physical nature, such as radio bearerreconfiguration, transport channel reconfiguration, physical channelreconfiguration. Soft reconfigurations deal with non-physicalreconfigurations, such as for example security parameterreconfiguration. For a typical scenario of 3GPP specifications, thesetwo types of reconfigurations are treated somewhat different andconsequently suffer from different and separate problems. The presentdisclosure will focus on soft reconfigurations, in particular securityreconfigurations in relation to 3GPP specifications TS 25.331 V8.7.0section 8.1.12.4b, “Cell Update Procedure During SecurityReconfiguration”. One area of improvement concerns the case of droppedcalls due to a mismatch of security configurations between the networkand a user terminal such as a mobile phone, as a consequence of cellreselection procedure during the security reconfiguration.

For connected 3G users in the so called CELL_FACH state or mode tryingto set up a multi-RAB speech call, call drop occurs if a Cell-Updatecell reselection procedure coincides with the Security Mode procedure.To further clarify, the CELL_FACH state or mode is one of the radioresource control connected modes or states of operation. As such, for auser equipment in the CELL_FACH state the following is applicable.

-   -   No dedicated physical channel is allocated to the UE.    -   The UE continuously monitors a FACH in the downlink.    -   The UE is assigned a default common or shared transport channel        in the uplink (e.g. RACH) that it can use anytime according to        the access procedure for that transport channel.    -   The position of the UE is known by UTRAN on cell level according        to the cell where the UE last made a cell update.

It should be noted that Security Mode procedure includes negotiatingwhich ciphering and integrity protection scheme the concerned partiese.g. user equipment and network node are to use for communication. Amismatch or misalignment of security configuration between two partiese.g. user terminal and a network, will ultimately lead to a dropped callsince the parties are unable to communicate with each other.

During UE mobility, two such scenarios are possible:

-   -   1) Security Reconfiguration during Cell Update procedures, i.e.        Security Mode Command is received in a user equipment (UE) from        a network just after a Cell Update message is sent from the UE        to the network.    -   2) Cell Update procedure during Security Reconfiguration, i.e. a        Cell Update message is sent from the UE while the Security Mode        procedure is still ongoing.

Prior art, as represented by 3GPP specification TS 25.331 V8.7.0,section 8.1.12.4b, “Cell update procedure during securityreconfiguration,” section 8.1.12.2.2, “Integrity protectionconfiguration change,” and section 8.3.1.9b, “Security reconfigurationduring Cell update procedure,” describe how a user equipment UE ormobile and network should handle these two cases; however, there is roomfor improvement to further reduce the risk of calls being dropped as aresult of 3GPP specification limitations.

In general, all above mentioned problems are related to misalignment ormismatch in security (ciphering/integrity) settings when an ongoingSecurity Mode procedure is aborted, primarily due to Cell Updatecell-reselection. If both UE and radio network controller (RNC) abortthe security reconfiguration or if neither aborts, a network solutioncould easily handle this case. However, due to different race conditionsoccurring between cell update and security mode procedures, UE may abortreconfiguration but not the RNC, and vice versa. The result is anIntegrity Protection (and/or ciphering) misalignment resulting in calldrop.

With reference to FIG. 1, known Security Mode procedures from the UEpoint of view will be described. Within the time span designated “A”, itis clear from the 3GPP specification TS 25.331 V8.7.0 section 8.1.12.4b,“Cell Update Procedure During Security Reconfiguration” that the UEshall abort the ongoing security mode procedure if a Cell Update needsto be sent. This Cell Update can be triggered by any of the followingscenarios:

-   -   a) re-selection to a new cell    -   b) re-entering service area    -   c) periodical cell-update    -   d) to inform the network of a UE failure (“physical channel        failure” or “RLC unrecoverable error”)

For the present disclosure, the case of a user equipment aborting anongoing security reconfiguration procedure due to reselection to a newcell will be exploited.

When it comes to the time span designated “B” above, 3GPP specificationsare somewhat unclear and also limited regarding UE securityconfiguration behavior. If a CellUpdate message is sent during thesecurity procedure, after securityModeComplete, but before the L2ACKreceived, then as above, the UE shall abort the ongoing Security Modeprocedure (3GPP specification TS 25.331 V8.7.0 section 8.1.12.4b, “CellUpdate Procedure During Security Reconfiguration”) with special handlingfor integrity parameter COUNT-I. Some other vague guidance is given by astatement targeting the RNC [2](3GPP specification TS 25.331 V8.7.0section 8.1.12.2.2, “Integrity protection configuration change”), inwhich it is stated that the network (NW) should be aware that the UE“may” abort the security procedure.

Aborting the security procedure in the UE at this point however is notfavorable, since the UE has just acknowledged to the RNC (in SecurityMode Complete message) that the security reconfiguration is alreadyperformed even though the security reconfiguration is not yet fullyapplied in the UE until the L2ACK for securityModeComplete is receivedfrom the RNC (i.e. it is a grey area limitation in the prior art asrepresented by 3GPP specification TS 25.331 V8.7.0 section 8.1.12.4b,“Cell Update Procedure During Security Reconfiguration”).

If the UE aborts the security reconfiguration after RNC has received theSecurity Mode Complete, the new security reconfiguration will be appliedby the RNC. Hence there is a security mismatch, leading to call drop (asevidenced from live network analysis). The dropped call is due to thefact that the UE and the network at this point in time are usingdifferent security configurations and are unable to communicate.

SUMMARY

The present invention relates to methods and arrangements for improvedsecurity reconfiguration management in a cellular communication system.It is the object of the present invention to reduce the risk of droppedcalls due to cell update procedures.

In a method of managing security reconfiguration and cell updateprocedures in a user equipment in a cellular communication system thefollowing procedure is performed. A user equipment receives a securityreconfiguration request from a node, and subsequently initiates andconfirms the requested security reconfiguration to the node. At somepoint in time before node acknowledgement received, the user equipmentdetects a cell update trigger and aborts the already confirmed securityreconfiguration in response to the detected cell update trigger.Subsequently, the user equipment provides a security status indicationin response to the aborted security reconfiguration, then jointlytransmits, to the node, a cell update message and the provided securitystatus indication informing about the previously confirmed securityreconfiguration being aborted.

By these features, a mismatch between the security configurationsbetween a UE and a node in the cellular communication system is avoided.As a result, the call drop rate is reduced and the call setup rate canbe improved.

According to a further aspect of the present invention, an embodiment ofa user equipment in a cellular communication system includes means fordetecting a cell update trigger event, and means for aborting anyongoing security reconfiguration procedure in the user equipment inresponse to the detected cell update trigger event. In addition, theuser equipment includes means for providing a security status indicationin response to the aborted security reconfiguration, and means forjointly transmitting a cell update message and the provided securitystatus indication to a node.

According to yet a further aspect, an embodiment of a method of managingsecurity reconfiguration and cell update procedures in a node in acellular communication system according to the present inventionincludes the steps of transmitting a security reconfiguration request toa user equipment, and receiving a security reconfiguration confirmation.The node acknowledges and performs the confirmed securityreconfiguration. Subsequently, the node jointly receives a cell updatemessage and a security status indication informing about the confirmedsecurity reconfiguration being aborted in the user equipment. Finally,the node manages the requested security reconfiguration based on thereceived security status indication.

According to an additional aspect, an embodiment of a node in a cellularcommunication system includes means for transmitting a securityreconfiguration request to a user equipment, and means for receiving asecurity reconfiguration confirmation. In addition, the node includesmeans for acknowledging and performing the confirmed securityreconfiguration, and means for jointly receiving a cell update messageand a security status indication informing about the confirmed securityreconfiguration being aborted in the user equipment. Finally, the nodeincludes means for managing the requested security reconfiguration basedon the received security status indication.

The present invention, furthermore, coordinates advantageously cellupdate and security reconfiguration procedures and overcomes 3GPPspecification limitations as already described.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention, together with further objects and advantages thereof, maybest be understood by referring to the following description takentogether with the accompanying drawings, in which:

FIG. 1 is a schematic illustration of the known signaling during asecurity reconfiguration procedure in a user equipment;

FIG. 2 is a schematic illustration of the known signaling during asecurity reconfiguration and cell update procedure;

FIG. 3 is a schematic illustration of the known signaling during asecurity reconfiguration and cell update procedure;

FIG. 4 is a schematic illustration of an embodiment of a methodaccording to the present invention;

FIG. 5 is a schematic flow diagram of an embodiment of a method in auser equipment according to the present invention;

FIG. 6 is a schematic flow diagram of a further embodiment of a methodin a user equipment according to the present invention;

FIG. 7 is a schematic flow diagram of an embodiment of a method in anetwork node according to the present invention;

FIG. 8 is a schematic illustration of an embodiment of a user equipmentaccording to the present invention;

FIG. 9 is a schematic illustration of an embodiment of a network nodeaccording to the present invention.

ABBREVIATIONS ACK ACKnowledgement AM Acknowledgement Mode CU Cell UpdateCCCH Common Control Channel CR Change Request DCCG Dedicated ControlChannel FACH Forward Access Channel IE Information Element KPI KeyPerformance Indicators L2 Layer 2

MP Mandatory present

OP Optionally Present NW NetWork RAB Radio Access Bearer

RIM Research in motion (specific UE vendor)

RLC Radio Link Control (L2 Protocol) RNC Radio Network Controller SRBSignalling Radio Bearer TM Transparent Mode UM Unacknowledged Mode 3GPP3rd Generation Partnership Project DETAILED DESCRIPTION

The present disclosure will be described in the context of a 3GPPsystem; however it is equally applicable to similar systems with asimilar structure.

In order to fully comprehend the benefits of the present invention, amore in-depth description of prior art solutions and their potentialdrawbacks is provided below.

The two previously mentioned main race scenarios observed (duringmulti-RAB speech call from CELL-FACH) that lead to the various droppedcall symptoms are further described below and with reference to FIG. 2and FIG. 3.

In the first race scenario, with reference to FIG. 2, the Cell updatemessage and the security mode command cross over or meet in mid-air.Consequently, the RNC receives the cellUpdate message just afterSecurity Mode Command has been sent, while UE sends the cellUpdatemessage just before the Security Mode Command is received i.e. 3GPPspecifications TS 25.331 V8.7.0 section 8.3.1.9b, “Securityreconfiguration during Cell update procedure”. In FIG. 2 time isrepresented on the vertical axis, increasing from the top down. Thevarious signaling steps of the procedure in FIG. 2 are as follows:

-   -   1 Cell Update message sent from UE to RNC    -   2 Security Mode Command (security reconfiguration request) sent        from RNC to UE.

As is clearly seen in FIG. 2, the two signals 1 and 2 meet in mid air.In this case the radio network controller will be made aware of the cellupdate before receiving any confirmation of the requested securityreconfiguration.

In the second race scenario, with reference to FIG. 3, the UE sends theCellUpdate message before receiving a L2 acknowledgement for securitymode complete i.e. 3GPP specifications TS 25.331 V8.7.0 section8.1.12.4b, “Cell update procedure during security reconfiguration”. InFIG. 3, time is represented on the vertical axis, increasing from thetop down.

With reference to FIG. 3, a typical problem solved by embodiments of thepresent invention will be described. The various signaling steps of theprocedure in FIG. 3 are as follows:

-   -   1. Security Mode Command    -   2. L2 ACK for (1)    -   3. Security Mode Complete    -   4. L2 ACK for (3)    -   5. Cell Update

At time instance A the UE selects a new cell, and aborts the ongoingsecurity reconfiguration, and rolls back to the old securityreconfiguration. At time instance B, the RNC activates the new securityconfiguration. Consequently, from time instance B the UE and the RNC areoperating with different security configurations and are unable tomaintain the existing call. In this case, there is a security mismatchsince the UE is on “old” security settings while RNC is now on “new”security settings, and thus ultimately leads to call drop.

Basically, the present invention aims at enabling means and arrangementsfor avoiding a mismatch in security configuration between a network nodeand a user equipment due to the second race scenario above between cellupdate and security reconfiguration procedures.

According to a preferred embodiment of the present invention, the UE isadapted to include a security status indication e.g. information elementin the Cell Update message sent from the UE to the RNC. This IE shouldclearly inform the RNC whether an ongoing security procedure in the UEhas been aborted or not, and so the RNC can easily decide whether it isnecessary also to abort and revert to old security settings or not, ortake other suitable action.

Today, as described previously, it is possible for the UE to abort anongoing security reconfiguration procedure just before the procedurecompletion, in order to send a Cell Update to the RNC. If the RNChowever has already completed this security reconfiguration procedure atthe time of reception of this cell update, then the RNC has no way ofknowing for certain that the preceding security procedure has just beenaborted in the UE. This is currently a limitation in the 3GPPspecifications. The new proposed status indication e.g. informationelement IE can easily overcome the 3GPP limitation.

With reference to FIG. 4, a signaling scheme according to an embodimentof the present invention will be described. In comparison to thesignaling scheme of FIG. 3, all steps up to step 4 are identical. Also,actions taken at time instances A and B are identical. However, in step5 the user equipment provides a security status indication in the cellupdate message. In this embodiment, the security status indication isprovided as an information element IE that is set to TRUE if a securityreconfiguration has been aborted. Consequently, at time instance C theradio network controller receives the security status indication and isinformed that the user equipment has aborted the previously requestedsecurity reconfiguration. In this embodiment the radio networkcontroller proceeds to revert or roll back to the previous securityconfiguration. Thus, the two nodes are once again able to communicateusing the same security configuration. However, it is implied that theradio network controller can take other or additional measures uponreceiving the security status indication.

With reference to FIG. 5, a basic embodiment of a method of managingsecurity reconfiguration and cell update procedures in a user equipmentin a cellular communication system according to the present inventionwill be described. Initially a user equipment detects S30 a cell updatetrigger event. In response to the detected cell update trigger event,the user equipment aborts S40 any ongoing security reconfigurationprocedure. By aborting the security reconfiguration procedure, the userequipment reverts to or rolls back to a previous e.g. already existingsecurity configuration. Subsequently, the user equipment provides S50 asecurity status indication in response to the aborted securityreconfiguration. Finally, the security status indication and a cellupdate message are jointly transmitted S60 to a node in the cellularcommunication system, typically a radio network controller node orsimilar control node.

Basically, the cell update message of prior art is amended to include asecurity status indication, such as a boolean information element thatis set to TRUE in case of an ongoing security reconfiguration procedurebeing aborted in the user equipment, and set to FALSE otherwise.

With reference to FIG. 6, a further detailed embodiment of a method ofmanaging security reconfiguration and cell update procedures in a userequipment in a cellular communication system according to the presentinvention will be described. Steps indicated in the previous embodimentare referred to with the same reference numbers.

Initially, the user equipment receives S10 a request for a securityreconfiguration from a node, e.g. radio network controller. The userequipment initiates and confirms S20 the requested securityreconfiguration. At some point in time before node acknowledgmentreceived the user equipment detects S30 a cell update trigger, and isconsequently forced to change or reselect a cell. In response to thedetected cell update trigger, the user equipment aborts S40 the alreadyconfirmed security reconfiguration. The user equipment then provides S50a security status indication in response to the aborted securityreconfiguration. Finally, the user equipment jointly transmits S60, tothe node, a cell update message, and the provided security statusindication informing about the confirmed security reconfiguration beingaborted.

The security status indication is preferably set to a predeterminedvalue in response to an aborted security reconfiguration, according to aparticular embodiment of the invention the status indication is providedas a boolean information element. According to a particular embodiment,the security status indication is set to TRUE only in the case of anaborted security reconfiguration and a cell update message is triggeredto be sent during an ongoing security reconfiguration. Otherwise, thesecurity status indication should be cleared/set to FALSE. The securitystatus indication should not be set in the case where a securityreconfiguration has been aborted but a cell update message is not sentuntil some later time after the completed security procedure.

With reference to FIG. 7, a basic embodiment of a method of managingsecurity reconfigurations and cell update procedures in a node, e.g.radio network controller, in a cellular communication system accordingto the present invention will be described.

At some point in time the node e.g. radio network controller, transmitsS100 a security reconfiguration request to a user equipment. Uponreceiving S200 a confirmation for the security reconfiguration, the nodeacknowledges S300 and performs the security reconfiguration.Subsequently, the radio network controller jointly receives S400 a cellupdate message and a security status indication in the cell updatemessage, the indication informing about the confirmed securityreconfiguration being aborted. Finally, the radio network controllermanages its security configuration based on the received security statusindication. One possible action would be to revert to a previoussecurity configuration in response to the received status indication.Another possible action would be to reattempt the aborted securityreconfiguration. In addition, other actions are possible, under thecondition that the radio network controller recognizes the includedsecurity status indication.

With reference to FIG. 8, a general embodiment of a user equipmentaccording to the present invention will be described. The user equipmentincludes a unit 30 for detecting a cell update trigger event, and a unit40 for aborting any ongoing security reconfiguration procedure in theuser equipment in response to the detected cell update trigger event. Inaddition, the user equipment includes a unit 50 for providing 50 asecurity status indication in response to the aborted securityreconfiguration, and finally a unit for jointly transmitting 60 a cellupdate message and the provided security status indication to a node inthe communication system.

According to a particular embodiment, also with reference to FIG. 8 (inparticular the dotted boxes), the user equipment further includes a unit10 for receiving a security reconfiguration request from a node, and aunit 20 for initiating and confirming the requested securityreconfiguration;

With reference to FIG. 9, an embodiment of a node according to thepresent invention will be described. The node e.g. radio networkcontroller includes a unit 100 for transmitting a securityreconfiguration request to a user equipment, and a unit 200 forreceiving a security reconfiguration confirmation from the userequipment. In addition, the node includes a unit 300 for acknowledgingand performing the confirmed security reconfiguration, and a unit 400for jointly receiving a cell update message and a security statusindication informing about the previously confirmed securityreconfiguration being aborted. Finally, the node includes a unit 500 formanaging 500 the previously requested security reconfiguration based onthe received security status indication.

It is understood that the functional parts of the embodiments can beimplemented as hardware e.g. processors within or as software elementse.g. algorithms executable on a computer. It is also understood thatsome parts of the functionality can be provided outside the userequipment and/or node and communicated to the user equipment and nodeusing other means of communication.

Advantages of the present invention include:

The main benefit of the proposed new IE is to overcome the 3GPPlimitations and thus avoid unnecessary dropped calls at securityreconfiguration on CELL_FACH (e.g. typically at speech call setup fromCELL_FACH), hence improved KPIs and thus increased revenue and end-usersatisfaction.

This new “Security Status Indicator” IE ensures there is no securitymismatch between UE and RNC, as the RNC also rolls back to “old”security settings if cellUpdate received from UE with IE=“TRUE”,indicating the UE has aborted security procedure due to cellUpdate cellre-selection. As RNC and UE are using the same “old” security keys afterthe security procedure is aborted, then no abnormal call drop shouldoccur.

In case of any unforeseen scenarios, this IE will allow the network toconsider other alternative corrective actions rather than drop the callas occurs today.

1. A method of managing security reconfiguration and cell updateprocedures in a user equipment in a cellular communication system, themethod comprising: detecting a cell update trigger event; aborting anongoing security reconfiguration procedure in said user equipment inresponse to said detected cell update trigger event; providing asecurity status indication in response to said aborted securityreconfiguration, and jointly transmitting a cell update message and saidprovided security status indication to a node.
 2. The method accordingto claim 1, further comprising: receiving a security reconfigurationrequest from a node; initiating and confirming said requested securityreconfiguration; detecting a cell update trigger event; aborting saidconfirmed security reconfiguration in response to said detected cellupdate trigger; providing a security status indication in response tosaid aborted security reconfiguration; and jointly transmitting, to saidnode, a cell update message and said provided security status indicationinforming about said confirmed security reconfiguration being aborted.3. The method according to claim 1, wherein providing said securitystatus indication comprises setting said security status indication to apredetermined value.
 4. The method according to claim 1, wherein jointlytransmitting said cell update message and said provided security statusindication comprises transmitting said cell update message and saidprovided security status indication in a same cell update message. 5.The method according to claim 4, wherein said security status indicationis provided as a boolean information element in said cell updatemessage. 6.-7. (canceled)
 8. A method of managing securityreconfiguration and cell update procedures in a node in a cellularcommunication system, the method comprising: transmitting a securityreconfiguration request to a user equipment; receiving a securityreconfiguration confirmation; acknowledging and performing saidconfirmed security reconfiguration; jointly receiving a cell updatemessage and a security status indication informing about said confirmedsecurity reconfiguration being aborted; managing said requested securityreconfiguration based on said received security status indication. 9.The method according to claim 8, wherein managing comprises said nodereverting to a previous security configuration in response to receivingsaid security status indication.
 10. The method according to claim 8,wherein managing comprises said node retransmitting said abortedsecurity reconfiguration request in response to receiving said securitystatus indication. 11.-12. (canceled)
 13. The method according to claim1, wherein providing a security status indication comprises setting thesecurity status indication to a predetermined value in response to saidaborted security reconfiguration and in response to a cell updatemessage being triggered to be sent during an ongoing securityreconfiguration procedure.
 14. A user equipment in a cellularcommunication system, the user equipment comprising: a processorconfigured to detect a cell update trigger event, abort an ongoingsecurity reconfiguration procedure in said user equipment in response tosaid detected cell update trigger event, provide a security statusindication in response to said aborted security reconfiguration, andjointly transmit a cell update message and said provided security statusindication to a node.
 15. The user equipment according to claim 14,wherein the processor is further configured to receive a securityreconfiguration request from a node, and initiate and confirm saidrequested security reconfiguration.
 16. The user equipment according toclaim 14 wherein the processor is configured to provide a securitystatus indication by setting the security status indication to apredetermined value in response to said aborted security reconfigurationand in response to a cell update message being triggered to be sentduring an ongoing security reconfiguration procedure.
 17. A node in acellular communication system, the node comprising: a processorconfigured to transmit a security reconfiguration request to a userequipment, receive a security reconfiguration confirmation, acknowledgeand performing said confirmed security reconfiguration, jointly receivea cell update message and a security status indication informing aboutsaid confirmed security reconfiguration being aborted, and manage saidrequested security reconfiguration based on said received securitystatus indication.
 18. The node according to claim 17, wherein said nodeis a radio network controller.